Csound getnum() getnum Function Multiple Buffer Overflows - Nessus

High   Plugin ID: 58989

This page contains detailed information about the Csound getnum() getnum Function Multiple Buffer Overflows Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 58989
Name: Csound getnum() getnum Function Multiple Buffer Overflows
Filename: csound_getnum_buffer_overflow.nasl
Vulnerability Published: 2012-02-24
This Plugin Published: 2012-05-04
Last Modification Time: 2018-11-15
Plugin Version: 1.7
Plugin Type: local
Plugin Family: Windows
Dependencies: smb_hotfixes.nasl
Required KB Items [?]: SMB/Registry/Enumerated

Vulnerability Information

Severity: High
Vulnerability Published: 2012-02-24
Patch Published: 2012-02-13
CVE [?]: CVE-2012-0270
CPE [?]: cpe:/a:csounds:csound

Synopsis

The remote host has an application installed that is affected by multiple buffer overflow vulnerabilities.

Description

The version of Csound installed on the remote Windows host is less than 5.16.6. As such, it is reportedly affected by multiple stack- based buffer overflows present in the getnum() function located in util/heti_main.c and util/pv_import.c

By tricking a user into opening a specially crafted file, an attacker may be able to execute arbitrary code subject to the user's privileges.

Solution

Upgrade to Csound version 5.16.6 or later.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Csound getnum() getnum Function Multiple Buffer Overflows vulnerability:

  1. Metasploit: exploit/windows/fileformat/csound_getnum_bof
    [Csound hetro File Handling Stack Buffer Overflow]
  2. Exploit-DB: exploits/windows/local/18710.rb
    [EDB-18710: Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:9.3 (High)
Impact Subscore:10.0
Exploitability Subscore:8.6
CVSS Temporal Score:7.7 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.7 (High)

Go back to menu.

Plugin Source

This is the csound_getnum_buffer_overflow.nasl nessus plugin source code. This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. 

#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(58989);
  script_version("1.7");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2012-0270");
  script_bugtraq_id(52144);
  script_xref(name:"EDB-ID", value:"18710");

  script_name(english:"Csound getnum() getnum Function Multiple Buffer Overflows");
  script_summary(english:"Checks version of Csound install");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote host has an application installed that is affected by
multiple buffer overflow vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Csound installed on the remote Windows host is less
than 5.16.6.  As such, it is reportedly affected by multiple stack-
based buffer overflows present in the getnum() function located in
util/heti_main.c and util/pv_import.c

By tricking a user into opening a specially crafted file, an attacker
may be able to execute arbitrary code subject to the user's
privileges."
  );
  script_set_attribute(attribute:"see_also", value:"https://secuniaresearch.flexerasoftware.com/secunia_research/2012-3/");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5b3b83d2");
  script_set_attribute(attribute:"solution", value:"Upgrade to Csound version 5.16.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Csound hetro File Handling Stack Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:csounds:csound");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0); 
}

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");
include("audit.inc");

appname = 'Csound';
port = get_kb_item("SMB/transport");

registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
key = "SOFTWARE\Classes\CsoundFile\DefaultIcon";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (isnull(key_h))
{
  RegCloseKey(handle:hklm);
  close_registry();
  audit(AUDIT_NOT_INST, appname);
}

res = RegQueryValue(handle:key_h);
RegCloseKey(handle:key_h);
RegCloseKey(handle:hklm);

if (isnull(res))
{
  close_registry();
  exit(1, "Unable to get read the registry key 'HKLM\" + key + "'."); 
}

item = eregmatch(pattern: "(.+)bin\\[^\\]+\.exe,0", string: res[1]);
if (isnull(item))
{
  close_registry();
  exit(1, "Failed to get the path from the registry key 'HKLM\" + key + "'.");
}
close_registry(close:FALSE);

path = item[1];

version_file = ereg_replace(pattern:"^[A-Za-z]:(.*)\\?", 
                            replace:"\1\include\version.h", string:path);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);

login  = kb_smb_login();
pass   = kb_smb_password();
domain = kb_smb_domain();

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);

if (isnull(rc))
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, share);
}

fh = CreateFile(
  file:version_file,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
if (isnull(fh))
{
  NetUseDel();
  exit(0, "Evidence of a previous Csound installation exists in the Windows Registry (HKLM\" + key + "), but it does not currently appear to be installed."); 
}

content = "";
  
length = GetFileSize(handle:fh);
content = ReadFile(handle:fh, offset:0, length:length);
CloseFile(handle:fh);

NetUseDel();

if (content == "")
  exit(1, "Failed to read '" + path + "include\version.h'.");

#define CS_VERSION          (5)
#define CS_SUBVER           (16)
#define CS_PATCHLEVEL       (2)
#define CS_APIVERSION       2   /* should be increased anytime a new version
#define CS_APISUBVER        6   /* for minor changes that will still allow

major_ver = NULL;
sub_ver = NULL;
patchlevel = NULL;

item = eregmatch(pattern: "CS_VERSION[ \t]+\(([0-9]+)\)", string: content);
if (!isnull(item[1]))  major_ver = item[1];
item = eregmatch(pattern: "CS_SUBVER[ \t]+\(([0-9]+)\)", string: content);
if (!isnull(item[1])) sub_ver = item[1];
item = eregmatch(pattern: "CS_PATCHLEVEL[ \t]+\(([0-9]+)\)", string: content);
if (!isnull(item[1])) patchlevel = item[1];

version = NULL;
if (!isnull(major_ver) && !isnull(sub_ver) && !isnull(patchlevel))
  version = major_ver + '.' + sub_ver + '.' + patchlevel;

if (isnull(version))
  exit(1, "Unable to extract version information from '" + path + "include\version.h'.");

set_kb_item(name:"SMB/Csound/Installed", value:TRUE);
set_kb_item(name:"SMB/Csound/Version", value:version); 
set_kb_item(name:"SMB/Csound/Path", value:path); 

api_major = NULL;
api_subver = NULL;

item = eregmatch(pattern: "CS_APIVERSION[ \t]+([0-9]+)[^0-9]", string: content);
if (!isnull(item[1])) api_major = item[1];

item = eregmatch(pattern: "CS_APISUBVER[ \t]+([0-9]+)[^0-9]", string: content);
if (!isnull(item[1])) api_subver = item[1];

if (!isnull(api_major) && !isnull(api_subver))
{
  api_version = api_major + '.' + api_subver;
  set_kb_item(name:"SMB/Csound/APIVersion", value:api_version);
}

if (ver_compare(ver:version, fix:'5.16.6', strict:FALSE) == -1)
{
  if (report_verbosity > 0) 
  {
    report = '\n  Path              : ' + path +
             '\n  Installed version : ' + version +
             '\n  Fixed version     : 5.16.6\n';
    security_hole(port:port,extra:report);
  }
  else security_hole(port);
  exit(0);
} 
else audit(AUDIT_INST_VER_NOT_VULN, appname, version);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/csound_getnum_buffer_overflow.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\csound_getnum_buffer_overflow.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/csound_getnum_buffer_overflow.nasl

Go back to menu.

How to Run

Here is how to run the Csound getnum() getnum Function Multiple Buffer Overflows as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Csound getnum() getnum Function Multiple Buffer Overflows plugin ID 58989.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl csound_getnum_buffer_overflow.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a csound_getnum_buffer_overflow.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - csound_getnum_buffer_overflow.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state csound_getnum_buffer_overflow.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 74567 - openSUSE Security Update : csound (openSUSE-SU-2012:0370-1)
  • 75805 - openSUSE Security Update : csound (openSUSE-SU-2012:0315-1)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file csound_getnum_buffer_overflow.nasl version 1.7. For more plugins, visit the Nessus Plugin Library.

Go back to menu.